{"_id":"581a1c921a63870f008b61f2","parentDoc":null,"version":{"_id":"5615790d0f5ed00d00483dd4","__v":6,"project":"5615790c0f5ed00d00483dd1","createdAt":"2015-10-07T19:57:01.307Z","releaseDate":"2015-10-07T19:57:01.307Z","categories":["5615790d0f5ed00d00483dd5","56157b2af432910d0000f9fe","56157cfb0f5ed00d00483ddb","562684d95db46b1700fd4f48","573b7ea9ef164e2900a2b8ff","582e285d8373c20f00810608"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"__v":0,"category":{"_id":"5615790d0f5ed00d00483dd5","__v":19,"pages":["5615790e0f5ed00d00483dd7","561d48e46386060d00e06003","561d48fe31d9630d001eb5bd","561d49b657165b0d00aa5d8b","561d4a879463520d00cd11e2","561d67f48ca8b90d00210234","561d6a0bf0cff80d00ca22c3","561d6c5b071cd60d000d3221","562f9c2543c5570d001fe6bd","56311c99eae7ef0d00270e3d","56311d6702aff217007dba23","56311f96f1c0580d00fac719","563120b7242cda1900198b79","5631229bf1c0580d00fac721","563131559ead230d00a188f6","563134a324014b0d00bd9a4f","5631392082d96a0d00b0fb1d","56313c584b36120d00fdebfb","5642658ef424a10d00118360"],"project":"5615790c0f5ed00d00483dd1","version":"5615790d0f5ed00d00483dd4","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-07T19:57:01.871Z","from_sync":false,"order":0,"slug":"opendns-investigate-rest-api","title":"Umbrella Investigate REST API"},"user":"560b40145148ba0d009bd0b5","project":"5615790c0f5ed00d00483dd1","updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-11-02T17:04:18.517Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"settings":"","results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":12,"body":"The security information API method contains multiple scores or security features, each of which can be used to determine relevant datapoints to build insight on the reputation or security risk posed by the site. No one security information feature is conclusive, instead these features should be looked at in conjunction with one another as part of your security research.\n\nsample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/security/name/example.com\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n### Parameter for input ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-0\": \"name\",\n    \"0-1\": \"string\",\n    \"0-2\": \"domain name\"\n  },\n  \"cols\": 3,\n  \"rows\": 1\n}\n[/block]\n### Returned value for output if Success 200 ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-0\": \"dga_score\",\n    \"0-1\": \"float\",\n    \"1-1\": \"float\",\n    \"2-1\": \"float\",\n    \"3-1\": \"float\",\n    \"4-1\": \"float\",\n    \"5-1\": \"float\",\n    \"6-1\": \"float\",\n    \"7-1\": \"float\",\n    \"1-0\": \"perplexity\",\n    \"2-0\": \"entropy\",\n    \"3-0\": \"securerank2\",\n    \"4-0\": \"pagerank\",\n    \"5-0\": \"asn_score\",\n    \"6-0\": \"prefix_score\",\n    \"7-0\": \"rip_score\",\n    \"0-2\": \"Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).\",\n    \"1-2\": \"A second score on the likeliness of the name to be algorithmically generated, on a scale from -100 and 0. This score is to be used in conjunction with DGA.\",\n    \"2-2\": \"The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.\",\n    \"3-2\": \"Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).\",\n    \"4-2\": \"Popularity according to Google's pagerank algorithm\",\n    \"5-2\": \"ASN reputation score, ranges from -100 to 0 with -100 being very suspicious.\",\n    \"6-2\": \"Prefix ranks domains given their IP prefixes (an IP prefix is the first three octets in an IP address) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.\",\n    \"7-2\": \"RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.\",\n    \"8-0\": \"_fastflux_\",\n    \"8-1\": \"n/a\",\n    \"9-1\": \"float\",\n    \"10-1\": \"array\",\n    \"11-1\": \"array\",\n    \"12-1\": \"array\",\n    \"9-0\": \"popularity\",\n    \"10-0\": \"geodiversity\",\n    \"11-0\": \"geodiversity_normalized\",\n    \"12-0\": \"tld_geodiversity\",\n    \"8-2\": \"**NOTE:** This property in this endpoint is now deprecated. Please use the ff_candidate feature in the DNS RR History endpoint instead.\",\n    \"9-2\": \"The number of unique client IPs visiting this site, relative to the all requests to all sites. A score of how many different client/unique IPs go to this domain compared to others.\",\n    \"10-2\": \"A score representing the number of queries from clients visiting the domain, broken down by country. Score is a non-normalized ratio between 0 and 1.\",\n    \"11-2\": \"A score representing the amount of queries for clients visiting the domain, broken down by country. Score is a normalized ratio between 0 and 1.\",\n    \"12-2\": \"A score that represents the TLD country code geodiversity as a percentage of clients visiting the domain. Occurs most often with domains that have a ccTLD. Score is normalized ratio between 0 and 1.\",\n    \"13-0\": \"geoscore\",\n    \"13-1\": \"float\",\n    \"14-0\": \"ks_test\",\n    \"14-1\": \"float\",\n    \"15-0\": \"attack\",\n    \"15-1\": \"string\",\n    \"16-0\": \"threat_type\",\n    \"16-1\": \"string\",\n    \"17-0\": \"found\",\n    \"17-1\": \"boolean\",\n    \"13-2\": \"A score that represents how far the different physical locations serving this name are from each other.\",\n    \"14-2\": \"Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.\",\n    \"15-2\": \"The name of any known attacks associated with this domain. Returns blank if no known threat associated with domain.\",\n    \"16-2\": \"The type of the known attack, such as botnet or APT. Returns blank if no known threat associated with domain.\",\n    \"17-2\": \"Returns true if results available. Returns blank if no known threat associated with domain.\"\n  },\n  \"cols\": 3,\n  \"rows\": 18\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/security/name/example.com\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl --include \\\\\\n     --header \\\"Authorization: Bearer %YourToken%\\\" \\\\\\nhttps://investigate.api.umbrella.com/security/name/example.com\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"dga_score\\\": 38.301771886101335,\\n  \\\"perplexity\\\": 0.4540313302593146,\\n  \\\"entropy\\\": 2.5216406363433186,\\n  \\\"securerank2\\\": -1.3135141095601992,\\n  \\\"pagerank\\\": 0.0262532,\\n  \\\"asn_score\\\": -29.75810625887133,\\n  \\\"prefix_score\\\": -64.9070502788884,\\n  \\\"rip_score\\\": -75.64720536038982,\\n  \\\"popularity\\\": 25.335450495507196,\\n  \\\"fastflux\\\": false,\\n  \\\"geodiversity\\\": [\\n    [\\n      \\\"UA\\\",\\n      0.24074075\\n    ],\\n    [\\n      \\\"IN\\\",\\n      0.018518519\\n    ]\\n  ],\\n  \\\"geodiversity_normalized\\\": [\\n    [\\n      \\\"AP\\\",\\n      0.3761535390278368\\n    ],\\n    [\\n      \\\"US\\\",\\n      0.0005015965168831449\\n    ]\\n  ],\\n  \\\"tld_geodiversity\\\": [],\\n  \\\"geoscore\\\": 0,\\n  \\\"ks_test\\\": 0,\\n  \\\"attack: \\\"\\\",\\n\\t\\\"threat_type: \\\"\\\",\\n  \\\"found\\\": true\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n---\n[Related Domains for a Domain](https://docs.umbrella.com/developer/investigate-api/related-domains-for-a-domain-1/) < **Security Information for a Domain** > [Domain Tagging Dates for a Domain](https://docs.umbrella.com/developer/investigate-api/domain-tagging-dates-for-a-domain-1/)","excerpt":"","slug":"security-information-for-a-domain-1","type":"basic","title":"Security Information for a Domain"}

Security Information for a Domain


The security information API method contains multiple scores or security features, each of which can be used to determine relevant datapoints to build insight on the reputation or security risk posed by the site. No one security information feature is conclusive, instead these features should be looked at in conjunction with one another as part of your security research. sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/security/name/example.com\"", "language": "text" } ] } [/block] ### Parameter for input ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-0": "name", "0-1": "string", "0-2": "domain name" }, "cols": 3, "rows": 1 } [/block] ### Returned value for output if Success 200 ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-0": "dga_score", "0-1": "float", "1-1": "float", "2-1": "float", "3-1": "float", "4-1": "float", "5-1": "float", "6-1": "float", "7-1": "float", "1-0": "perplexity", "2-0": "entropy", "3-0": "securerank2", "4-0": "pagerank", "5-0": "asn_score", "6-0": "prefix_score", "7-0": "rip_score", "0-2": "Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).", "1-2": "A second score on the likeliness of the name to be algorithmically generated, on a scale from -100 and 0. This score is to be used in conjunction with DGA.", "2-2": "The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.", "3-2": "Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).", "4-2": "Popularity according to Google's pagerank algorithm", "5-2": "ASN reputation score, ranges from -100 to 0 with -100 being very suspicious.", "6-2": "Prefix ranks domains given their IP prefixes (an IP prefix is the first three octets in an IP address) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.", "7-2": "RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.", "8-0": "_fastflux_", "8-1": "n/a", "9-1": "float", "10-1": "array", "11-1": "array", "12-1": "array", "9-0": "popularity", "10-0": "geodiversity", "11-0": "geodiversity_normalized", "12-0": "tld_geodiversity", "8-2": "**NOTE:** This property in this endpoint is now deprecated. Please use the ff_candidate feature in the DNS RR History endpoint instead.", "9-2": "The number of unique client IPs visiting this site, relative to the all requests to all sites. A score of how many different client/unique IPs go to this domain compared to others.", "10-2": "A score representing the number of queries from clients visiting the domain, broken down by country. Score is a non-normalized ratio between 0 and 1.", "11-2": "A score representing the amount of queries for clients visiting the domain, broken down by country. Score is a normalized ratio between 0 and 1.", "12-2": "A score that represents the TLD country code geodiversity as a percentage of clients visiting the domain. Occurs most often with domains that have a ccTLD. Score is normalized ratio between 0 and 1.", "13-0": "geoscore", "13-1": "float", "14-0": "ks_test", "14-1": "float", "15-0": "attack", "15-1": "string", "16-0": "threat_type", "16-1": "string", "17-0": "found", "17-1": "boolean", "13-2": "A score that represents how far the different physical locations serving this name are from each other.", "14-2": "Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.", "15-2": "The name of any known attacks associated with this domain. Returns blank if no known threat associated with domain.", "16-2": "The type of the known attack, such as botnet or APT. Returns blank if no known threat associated with domain.", "17-2": "Returns true if results available. Returns blank if no known threat associated with domain." }, "cols": 3, "rows": 18 } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/security/name/example.com\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl --include \\\n --header \"Authorization: Bearer %YourToken%\" \\\nhttps://investigate.api.umbrella.com/security/name/example.com\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"dga_score\": 38.301771886101335,\n \"perplexity\": 0.4540313302593146,\n \"entropy\": 2.5216406363433186,\n \"securerank2\": -1.3135141095601992,\n \"pagerank\": 0.0262532,\n \"asn_score\": -29.75810625887133,\n \"prefix_score\": -64.9070502788884,\n \"rip_score\": -75.64720536038982,\n \"popularity\": 25.335450495507196,\n \"fastflux\": false,\n \"geodiversity\": [\n [\n \"UA\",\n 0.24074075\n ],\n [\n \"IN\",\n 0.018518519\n ]\n ],\n \"geodiversity_normalized\": [\n [\n \"AP\",\n 0.3761535390278368\n ],\n [\n \"US\",\n 0.0005015965168831449\n ]\n ],\n \"tld_geodiversity\": [],\n \"geoscore\": 0,\n \"ks_test\": 0,\n \"attack: \"\",\n\t\"threat_type: \"\",\n \"found\": true\n}\n </pre>\n </div>\n</div>" } [/block] --- [Related Domains for a Domain](https://docs.umbrella.com/developer/investigate-api/related-domains-for-a-domain-1/) < **Security Information for a Domain** > [Domain Tagging Dates for a Domain](https://docs.umbrella.com/developer/investigate-api/domain-tagging-dates-for-a-domain-1/)